Blog

This morning, the European Parliament has voted to condemn member state plans to disconnect suspected illicit filesharers from the internet. In a fairly narrow vote, MEPs adopted an amendment to the so-called Bono Report on the Cultural Industries, which

"Calls on the Commission and the Member States to recognise that the Internet is a vast platform for cultural expression, access to knowledge, and democratic participation in European creativity, bringing generations together through the information society; calls on the Commission and the Member States, therefore, to avoid adopting measures conflicting with civil liberties and human rights and with the principles of proportionality, effectiveness and dissuasiveness, such as the interruption of Internet access."

The report is not legally binding, but it does signifiy resistance among MEPs to measures currently being implemented in France to disconnect suspected illicit filesharers. This is especially relevant as France will take over the European presidency in July, and many fear that President Sarkozy would use the opportunity to push the so-called "Oliviennes" strategy Europe-wide.

The UK government will consult UK citizens on their plans to tackle illicit filesharing this Spring. We've already blogged about ORG's objections to UK proposals here. In short, and as the European Parliament have recognised today, they are disproportionate, they lack consumer safeguards and they won't stop illicit filesharing.

Last month, we announced that Phorm, the company whose technology delivers targetted ads based on where you visit on the web, were planning to hold a public meeting to face their critics. Details of the meeting have now been announced.

80/20 Thinking, with the full cooperation of Phorm, has decided to organise a public meeting as part of the PIA (privacy impact assessment) process. We intend to use feedback from this event to inform the PIA. A final version of the PIA will be published by the end of April 2008.

The Information Commissioner's Office have today released a further statement on Phorm, making clear their belief that any systems using Phorm (such as BT's webwise) need to seek the consent of their customers on an opt-in (and not an opt-out) basis.

I'll be going to the public meeting next Tuesday, so if you'd like to ask a question, but you can't make it yourself, please leave it in the comments.

The Open Rights Group is proud to be one of the 43 civil liberties NGOs and professional associations based in 11 European countries today submitting a brief to the European Court of Justice (PDF).The amicus brief asks the Court to annul an EU directive ordering the blanket registration of telecommunications and location data of 494 million Europeans.

As the document lays out, data retention violates the right to respect for private life and correspondence, freedom of expression and the right of providers to the protection of their property:

"While it threatens to inflict great damage on society, its potential benefit appears, overall, to be little. Data retention can support the protection of individual rights only in few and generally less important cases. A permanent, negative effect on crime levels is not to be expected... [With data retention in place] citizens constantly need to fear that their communications data may at some point lead to false incrimination or governmental or private abuse of the data. Because of this, traffic data retention endangers open communication in the whole of society."

Phorm explained the process by which an initial web request is redirected three times (using HTTP 307 responses) within their system so that they can inspect cookies to determine if the user has opted out of their system, so that they can set a unique identifier for the user (or collect it if it already exists), and finally to add a cookie that they forge to appear to come from someone else’s website. A number of very well-informed people on the UKCrypto mailing list have suggested that the last of these actions may be illegal under the Fraud Act 2006 and/or the Computer Misuse Act 1990.

Phorm also explained that they inspect a website’s “robots.txt” file to determine whether the website owner has specified that search engine “spiders” and other automated processing systems should not examine the site. This goes a little way towards obtaining the permission of the website owner for intercepting their traffic — however, in my view, failing to prohibit the GoogleBot from indexing your page is rather different from permitting your page contents to be snooped upon, so that Phorm can turn a profit from profiling your visitors.

Overall, I learnt nothing about the Phorm system that caused me to change my view that the system performs illegal interception as defined by s1 of the Regulation of Investigatory Powers Act 2000.

Update: here's a recording of Becky's introductory remarks to the Westminster eForum on the future of copyright:

We don't always trumpet the work we do, such as talking to civil servants, journalists, students or other groups interested in digital rights, so its nice when others compliment our efforts. On Monday of this week, we were at the Westminster eForum's seminar on Intellectual Property and the Future of Copyright. Ray Corrigan (Open University), who opened the event with a great talk on UK copyright, has posted these remarks :

The other highlights of the seminar were contributions from Becky Hogge of the Open Rights Group and film-maker, Jamie King, director of Steal This Film II. On the industry side Shira Perlmutter of the IFPI was quietly effective though I disagreed with some of what she had to say; Richard Mollet of the BPI started out well as you would expect of a confident, experienced PR professional but then, from my perspective, slightly misjudged the mood and came across as irritated that others, such as Andrew Gowers, had a different world view which was taken seriously. What was interesting was when he admonished us to get our language right - we should apparently be labeling the '3 strikes' laws/memorandums/agreements as a "graduated response" approach. Kettles, pots and a certain colour come to mind and anyway I think I prefer Louise Ferguson's "Internet ASBOS" as a more appropriate tag.

The full text and slides from Ray's talk, which covered the history of copyright legislation and the current reform landscape, are available from his blog. We've asked the WeF to supply an audio recording of Becky's contribution and will link if it becomes available.

Please use the link below to read our March 2008 supporters update. Headlines include the culmination of our Creative Business project and the Sound Copyright petition achieving over 10,000 signatories.

We didn’t go to Phorm for “the layman’s view”. We wanted the real deal, and I’m delighted to say that that’s what we got. Over the coming days, Richard Clayton will be posting details of different aspects of the system on Light Blue Touchpaper, posts which I will report on here. Earlier this month, the Open Rights Group called on Phorm to publish full details of how the technology will work – Richard’s analysis will provide this information. Only when we know how Phorm actually works can we model exactly what the implications of the technology are for users’ privacy. Richard and I also encouraged Phorm representatives to join the UK-crypto mailing list, in order to engage further with the expert community.

In the meantime, I thought it would be useful if I noted one of the less technical discussions that took place at the meeting. Phorm remain convinced that their technology, in the words of Simon Davies "advance[s] the whole sector of protecting personal information by two to three steps". This assertion is based on the significant measures they have taken to obscure identifying and sensitive information as they track web activity in order to serve targeted ads.

However, what this assertion fails to take into account is that BT, Virgin and TalkTalk are proposing to apply the Phorm system to a layer of the web stack that has previously been free of any such tracking and targeting activity. It is this aspect of the story which has caused so much public disquiet. As Sir Tim Berners-Lee put it last week:

"I myself feel that it is very important that my ISP supplies internet to my house like the water company supplies water to my house. It supplies connectivity with no strings attached. My ISP doesn’t control which websites I go to, it doesn’t monitor which websites I go to."

If you don’t like the way a web application is protecting your privacy, you can use another one, and if you can’t find one you want to use then you can build your own. But you can’t build your own connectivity. If the UK’s major ISPs all sign up to Phorm, then UK citizens will find it increasingly difficult to find connectivity that doesn’t come with "strings attached". Internet users can opt out, as, it turns out, can server operators (but I’ll let Richard provide details of that). TalkTalk have even indicated that they will make their Phorm system opt in. But is this enough? How long until we are asked to pay a premium for connectivity which comes "snoop-free"?

Nothing Richard Clayton and I saw yesterday appeared to contradict the legal analysis issued by FIPR last week, analysis that raised questions as to Phorm’s legality under section 1 of the Regulation of Investigatory Powers Act. But the Phorm issue is far more likely to be decided upon in the court of public opinion than in a court of law.

At the meeting, I encouraged Phorm to engage further with its critics. They are now planning an open, public meeting to hear people’s concerns about their technology. As soon as I have details of this meeting I will publish them here. If you’ve seen expert comment on Phorm, or think that the debate would benefit if others (for example the ISPs themselves) were specifically invited, please leave your suggestions in the comments. Thanks to everyone who left comments to my previous twoposts on Phorm, many of them were tremendously helpful in preparing for the meeting.

Earlier this month, ORG also called for 80/20 Thinking Ltd’s privacy impact assessment to be made public. An interim assessment [pdf], dated 10 February 2008, was published last week. It predicts the media and public backlash against Phorm, and leaves several questions unanswered, including "Can an external attacker gain access to the required information to re-link [an] individual [with their] unique identifier?" Phorm let us know yesterday that the full privacy impact assessment (which was due this month) has not yet been completed, and that they will publish it as soon as they can after it is complete.

Over the last few weeks, the story that BT, Virgin and TalkTalk are signed up to trial Phorm, a system which tracks users’ online surfing habits in order to target ads at them, has caused a storm all over the internet. As Sir Tim tells the BBC's Rory Cellan Jones today:

"I myself feel that it is very important that my ISP supplies internet to my house like the water company supplies water to my house. It supplies connectivity with no strings attached. My ISP doesn't control which websites I go to, it doesn't monitor which websites I go to."

"The Phorm system is highly intrusive -- it's like the Post Office opening all my letters to see what I'm interested in, merely so that I can be sent a better class of junk mail. Not surprisingly, when you look closely, this activity turns out to be illegal. We hope that the Information Commissioner will take careful note of our analysis when he expresses his opinion upon the scheme."

Open Rights Group exists to preserve and promote your rights in the digital age. We are funded by thousands of people like you. We are based in London, United Kingdom. Open Rights is a non-profit company limited by Guarantee, registered in England
and Wales no. 05581537.